- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How do I reorder columns in xyseries?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Enterprise 6.4.1.
I am trying to create a single table that displays data like this:
Priority 1 Priority 2 Priority 3
server Count Volume Count Volume Count Volume
server-1 123 2.34 10 .13 75 1.72
server-2 195 2.32 15 .19 174 1.93
However, using the xyseries command, the data is output like this:
server count:1 count:2 count:3 volume:1 volume:2 volume:3
server-1 123 10 75 2.34 .13 1.72
server-2 195 15 174 2.32 .19 1.93
I think we can live with the column headers looking like "count:1" etc, but is it possible to rearrange the columns so that the columns for count/volume for a specific priority are side-by-side? This is the search I use to generate the table:
index=foo | stats count as count sum(filesize) as volume by priority, server | xyseries server priority count volume | fill null
Ideally, I'd like to change the column headers to be multiline like
Priority 1
count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk doesn't support multiline headers. Try this workaround to see if this works for you
Updated
index=foo | chart count as count sum(filesize) as volume by server priority | rename "count: *" as "Priority *:Count" "volume: *" as "Priority *:Volume" | table server *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk doesn't support multiline headers. Try this workaround to see if this works for you
Updated
index=foo | chart count as count sum(filesize) as volume by server priority | rename "count: *" as "Priority *:Count" "volume: *" as "Priority *:Volume" | table server *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works great! As an aside, I was able to use the same rename command with my original search. I didn't know you could use the wildcard in that way. Very cool!
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
